Nuclear Exploit Pack goes 2.0

In times when the market leading Black Hole Exploit Kit continues to gain market share, competing products are prone to emerge. What is the competition up to? Has it managed to differentiate itself from the market leading product or is it basically a “me too” exploit kit lacking any significant features worth emphasizing on?

In this post, I’ll profile the recently advertised Nuclear Exploit Pack v.2.0, elaborate on its features, and discuss whether or not it has the potential to outpace the market leader (Black Hole Exploit Kit) in terms of market share.

More details:

Screenshots of the Nuclear Exploit Pack’s latest version:

As you can see in the above screenshot, the cybercriminal that’s advertising the availability of the second version of the Nuclear Exploit Pack is currently busy managing six unique malicious campaigns. The first campaign has already managed to infect 1,194 hosts, the majority of which are running Windows 7 and using Internet Explorer 9.0.

Second screenshot of the Nuclear Exploit Pack v2.0 in action:

The second screenshot shows the cybercriminal has also managed to exploit 3,132 users located in Italy, running outdated versions of Microsoft’s Internet Explorer browser, with Windows XP.

Third screenshot of the Nuclear Exploit pack in action:

The third screenshot shows the statistics from yet another malicious campaign operated by the cybercriminal behind the Nuclear Exploit Pack. It shows that 345 hosts have been infected, the majority of which are running Windows 7 and Microsoft’s Internet Explorer 8.0

Fourth screenshot of the Nuclear Exploit pack v2.0 in action:

The fourth screenshot indicates that 166 hosts were exploited, the majority of which are still running Windows XP and Microsoft’s Internet Explorer 8.0. What also makes an impression is that despite the fact that the cybercriminal behind the exploit kit has blurred the referrers for all the campaigns, he did not blur the actual MD5s used in these campaigns.

What differentiates this cybercrime ecosystem advertisement is the fact that the cybercriminal behind it is using “risk-forwarding” tactics in an attempt to mitigate the risk posed by the criminal nature of the kit. They achieve this by introducing a Terms of Service (TOS) that everyone must agree to before using their product.

The TOS forbids the following practices:

Actions that would violate the law of the Russian Federation

Acquisition of traffic using spam emails

iFrame-based traffic acquisition practices are forbidden

Testing the software on public services such as, for instance, VirusTotal

Offering Cybercrime-as-a-Service business services using the kit

Developing an affiliate program using the exploit kit

What about the prices for purchasing access to the exploit kit? Here they are:

If potential customers are only interested in testing the exploit kit, they can do so for a period of 24 hours, and pay just 50 wmz.

Is the Nuclear Exploit Pack a potential market leader in the long term, or will it basically turn into a market follower in a marketplace where the Black Hole Exploit kit remains the definite market leader? Although the kit is taking advantage of recent Java vulnerabilities, compared to the Black Hole Exploit kit, it’s lacking major OPSEC (operational security) features. This makes it much easier to analyze compared to the latest version of the Black Hole Exploit kit v2.0 that introduced a variety of features making the campaigns harder to detect and analyze by vendors and security researchers.

[…] releases of the RootLauncher Kit, the WebAttacker Kit, MPack and IcePack, which revolutionized the systematic client-side exploitation of end points, shifting the attention of cybercriminals to the average Internet user still living in a […]

[…] releases of the RootLauncher Kit, the WebAttacker Kit, MPack and IcePack, which revolutionized the systematic client-side exploitation of end points, shifting the attention of cybercriminals to the average Internet user still living in a […]

[…] releases of the RootLauncher Kit, the WebAttacker Kit, MPack and IcePack, which revolutionized the systematic client-side exploitation of end points, shifting the attention of cybercriminals to the average Internet user still living in a […]

[…] On a daily basis we process multiple malicious campaigns that, in 95%+ of cases, rely on the market leading Black Hole Exploit Kit. The fact that this Web malware exploitation kit is the kit of choice for the majority of cybercriminals, speaks for its key differentiation factors/infection rate success compared to the competing exploit kits, like, for instance, the Sweet Orange exploit kit or the Nuclear Exploit pack v2.0. […]